Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

SUMMARY :

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys Dark Crystal RAT (DcRAT). This enables data exfiltration and espionage activities. The campaign, likely ongoing since late 2023, exploits Ukraine's high software piracy rates, potentially compromising home users, businesses, and government networks. Multiple distribution campaigns have been observed, using similar lures and tactics. The attackers employ sophisticated techniques, including disabling Windows Defender, using Living Off the Land Binaries, and establishing persistence through scheduled tasks. The operation aligns with Russia's broader hybrid warfare strategy against Ukraine.

OPENCTI LABELS :

ukraine,dcrat,cyber espionage,apt44,backorder,kalambur,gru,dark crystal rat,kms activators,backorder loader,software piracy


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns